EAP-FAST phase2 failed

Stefan Paetow Stefan.Paetow at ja.net
Thu Aug 7 23:25:46 CEST 2014 

The log says this:

EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE

Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).

Stefan

________________________________
From: freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org [freeradius-devel-bounces+stefan.paetow=ja.net at lists.freeradius.org] on behalf of Ammu Argh [ammu3634 at gmail.com]
Sent: 07 August 2014 17:16
To: freeradius-devel at lists.freeradius.org
Subject: EAP-FAST phase2 failed

Hi,

I was trying to connect to AP using EAP-FAST authentication.
But Freeradius EAP-FAST failed with below error:

  State = 0x97d5bb340dc1cb0c525e6b44738f3553
        Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 202
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group EAP {
[eap2] Request found, released from the list
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=107) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
EAP-FAST: Received 101 bytes encrypted data for Phase 2
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63
EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=4)
==> Fail
[eap2] Freeing handler
EAP: Server state machine removed
++[eap2] = reject
+} # group EAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 117 to 10.10.2.2 port 46531
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.


Other details are as below"

Users file"
wifi  Auth-Type := EAP, Cleartext-Password := "welcome123"

eap.conf
eap2 {
                fast {
                        pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
                        eap_fast_a_id = tjsys
                        eap_fast_a_id_info = my_server
                        eap_fast_prov = 3
                        pac_key_lifetime = 604800 # 7 days
                        pac_key_refresh_tim = 86400
                }

                tls {
                        ca_cert = /usr/local/etc/raddb/certs/ca.pem
                        server_cert = /usr/local/etc/raddb/certs/server.pem
                        private_key_file = /usr/local/etc/raddb/certs/server.key
                        private_key_password = whatever
                        dh_file = /usr/local/etc/raddb/certs/dh
                        random_file = /usr/local/etc/raddb/certs/random
                }
        }


Sites-enabled/default:
Added in authenticate block
Auth-Type EAP {
                eap2
        }



wpa_supplicant.conf
update_config=1
ap_scan=1
fast_reauth=1

network={
        ssid="WiFi-11g"
        key_mgmt=WPA-EAP
        proto=WPA
        pairwise=TKIP
        group=TKIP
        eap=FAST
        anonymous_identity="fast"
        identity="fast"
        password="koro"
        phase1="fast_provisioning=3"
        pac_file="/data/misc/wifi/eap_fast.pac"
}



FreeRADIUS Version 2.2.5,
OpenSSL 1.0.1e 11
Ubuntu 14.04.1

Please help me to get it work.

Regards
Ammu

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Devel mailing list